A storage system is a computer that provides storage service relating to the organization of information on writable persistent storage devices, such as memories, tapes or disks. The storage system is commonly deployed within a storage area network (SAN) or a network attached storage (NAS) environment. When used within a NAS environment, the storage system may include an operating system that implements a file system to logically organize the information as a hierarchical structure of data containers, such as files on, e.g., the disks. Each “on-disk” file may be implemented as a set of data structures, e.g., disk blocks, configured to store information, such as the actual data (i.e., file data) for the file.
The storage system may be further configured to operate according to a client/server model of information delivery to thereby allow many client systems (clients) to access shared resources, such as files, stored on the storage system. Sharing of files is a hallmark of a NAS system, which is enabled because of its semantic level of access to files and file systems. Storage of information on a NAS system is typically deployed over a computer network comprising a geographically distributed collection of interconnected communication links, such as Ethernet, that allow clients to remotely access the information (files) on the filer. The clients typically communicate with the storage system by exchanging discrete frames or packets of data according to pre-defined protocols, such as the Transmission Control Protocol/Internet Protocol (TCP/IP).
In the client/server model, the client may comprise an application executing on a computer that “connects” to the storage system over a computer network, such as a point-to-point link, shared local area network, wide area network or virtual private network implemented over a public network, such as the Internet. NAS systems generally utilize file-based access protocols; therefore, each client may request the services of the storage system by issuing file system protocol messages (in the form of packets) to the file system over the network identifying one or more files to be accessed without regard to specific locations, e.g., blocks, in which the data are stored on disk. By supporting a plurality of file system protocols, such as the conventional Common Internet File System (CIFS) and the Network File System (NFS) protocols, the utility of the storage system may be enhanced for networking clients.
A SAN is a high-speed network that enables establishment of direct connections between a storage system and its storage devices. The SAN may thus be viewed as an extension to a storage bus and, as such, an operating system of the storage system enables access to stored data using block-based access protocols over the “extended bus”. In this context, the extended bus is typically embodied as Fibre Channel (FC) or Ethernet media adapted to operate with block access protocols, such as Small Computer Systems Interface (SCSI) protocol encapsulation over FC (e.g., FCP) or TCP (iSCSI).
SCSI is a peripheral input/output (I/O) interface with a standard, device independent protocol that allows different peripheral devices, such as disks, to attach to a storage system. In SCSI terminology, clients operating in a SAN environment are “initiators” that initiate commands and requests to access data. The storage system is thus a “target” configured to respond to the data access requests issued by the initiators in accordance with a request/response protocol. The initiators and targets have endpoint addresses that, in accordance with the FC protocol, comprise worldwide names (WWN). A WWN is a unique identifier, e.g., a node name or a port name, consisting of an 8-byte number.
A SAN arrangement or deployment allows decoupling of storage from the storage system, such as an application server, and some level of information storage sharing at the storage system level. There are, however, environments wherein a SAN is dedicated to a single storage system. In some SAN deployments, the information is organized in the form of databases, while in others a file-based organization is employed. Where the information is organized as files, the client requesting the information maintains file mappings and manages file semantics, while its requests (and storage system responses) address the information in terms of block addressing on disk using, e.g., a logical unit number (lun).
A network environment may be provided wherein information (data) is stored in secure storage served by one or more storage systems coupled to one or more security appliances. Each security appliance is configured to transform unencrypted data (cleartext) generated by clients (or initiators) into encrypted data (ciphertext) destined for secure storage or “cryptainers” on the storage system (or target). As used herein, a cryptainer is a piece of storage on a storage device, such as a disk, in which the encrypted data is stored. In the context of a SAN environment, a cryptainer can be, e.g., a disk, a region on the disk or several regions on one or more disks that, in the context of a SAN protocol, is accessible as a lun. In the context of a NAS environment, the cryptainer may be a collection of files on one or more disks. Specifically, in the context of the CIFS protocol, the cryptainer may be a share, while in the context of the NFS protocol, the cryptainer may be a mount point. In a tape environment, the cryptainer may be a tape containing a plurality of tape blocks.
Each cryptainer is associated with its own encryption key, e.g., a cryptainer key, which is used by the security appliance to encrypt and decrypt the data stored on the cryptainer. An encryption key is a code or number which, when taken together with an encryption algorithm, defines a unique transformation used to encrypt or decrypt data. Data remains encrypted while stored in a cryptainer until requested by an authorized client. At that time, the security appliance retrieves the encrypted data from the cryptainer, decrypts it and forwards the unencrypted data to the client.
A storage system typically exports one or more luns for use by a client to utilize storage space for one or more applications, such as Microsoft Exchange. In such environments, the client overlays a file system onto the storage space provided by the luns exported by the storage system and the application stores one or more files or other data containers on the file system. A security appliance may be interposed between the client and the storage system to ensure that the data stored on the luns is encrypted. However, a noted disadvantage arises in that an administrator must track which encryption keys are associated with a particular lun. This may become problematic when, e.g., a particular lun is migrated from one storage system to another, a lun is backed up and then restored to a different storage system after, e.g., a failure of a storage system, etc. Furthermore, in storage systems that support generation of point in time images, such as snapshots or persistent consistency point images (PCPIs), a PCPI may be restored to an active file system, thereby resulting in a new lun being exported.
A trivial solution to maintaining and tracking appropriate encryption keys is to require that all luns in storage system installation share a common encryption key. However should the single key be compromised, an obvious disadvantage of such a solution is that all of the luns of the installation are similarly vulnerable to compromise. Furthermore, a single storage system may host data from a plurality of different entities which may not have a complete trust relationship among the entities. For example, in a storage service provider (SSP) environment, a single storage system may host luns for a variety of differing companies or other business entities which may be competitors. By having common encryption keys among the various luns, security is compromised among the various business entities.
Another potential solution is to utilize metadata stored in arbitrary blocks of a lun to track the plurality of encryption keys. However, a noted disadvantage of such an implementation is that, depending on where clients desire to store data, it may not be possible to store the metadata in arbitrary locations. Thus, storing the metadata may potentially overwrite client stored data.